Canada Passes New PIPEDA Provisions

Jul 22, 2015

Canadian officials are warning organizations that handle personal information to review their privacy policies and security safeguards to ensure compliance with the recently passed Digital Privacy Act.

The new provisions, which took effect June 18, are part of the Personal Information Protection and Electronic Documents Act (PIPEDA). They allow for significant fines and require breach notifications.

The Financial Post reports, “The mandatory notification provisions require organizations to notify the privacy commissioner, as well as potentially affected individuals, of a privacy breach ‘as soon as feasible,’ but only if there is a ‘real risk of significant harm.’”

The mandate defines significant harm as humiliation, reputational damage, loss of employment or business opportunities, financial loss, and identity theft, according to the Financial Post. Companies also may be required to notify other organizations if doing so might mitigate the harm.

Penalties for knowingly violating the notification requirements can reach $100,000 per violation. The new provisions also state that the privacy commissioner is no longer required to keep private the confidential information gathered from complaints or others.

“This is likely to make organizations much less willing to make a full and frank disclosure to the Commissioner,” advised lawyers Daniel Glover, Charles Morgan, Barry Sookman, and Kirsten Thompson in McCarthy Tétrault’s e-Lert. “In addition, organizations dealing with the Commissioner will now have to be concerned about ensuring their trade secrets and confidential information are adequately protected (potentially through sealing orders or similar mechanisms) as well as ensuring that, by providing information to the Commissioner, they are not in violation of their agreements with third parties or requests made by law enforcement.”

Other notable features of the legislation include targeted exceptions to the need for consent, and expansion of the scope of “business contact information” that will not be treated as “personal information.”